Have you seen this?

Published: 2011-04-09
Last Updated: 2011-04-09 13:22:48 UTC
by Chris Carboni (Version: 1)
10 comment(s)

Steve writes,

"I can't put all the pieces together, but there's a malicious scheme afoot involving SQL insertion attempts and search engine optimization, I think.  Seeing logs with an insertion attempt for 0x31303235343830303536 (or "1025480056"), I googled the translated value.  There are a ton of hits on "1025480056" which include the SQL insertion attack in the link that Google presents.  Is this a magic number for Oracle, mysql or MS SQL?  Clearly evil, I'm not sure why, though."

Have you seen this before?  Do you have any idea what it is?  if so, please leave your comments.

Christopher Carboni - Handler On Duty

Keywords:
10 comment(s)

Comments

There seem to be some ideas on StackExchange, but no definitive answers there, either. http://stackoverflow.com/questions/4600954/site-has-been-hacked-via-sql-injection
I found it here:
http://ceh.vn/@4rum/showthread.php?1405-H%C6%B0%E1%BB%9Bng-d%E1%BA%ABn-hack-MYSQL-Injection-trong-PHP-chi-ti%E1%BA%BFt-cho-newbie.
Where it is referenced as the max int value.
It also seems to be used in a hack-tool:
http://www.threatexpert.com/report.aspx?md5=6d56f9bb33a73a128e205cf69b381619
The value is mysql's maxint which is treated as null. It is used instead of nulls to make the query less readable when padding values such as when the sql query that is getting injected returns rows the attacker has no use for.
@finack - source? According to MySQL documentation (http://dev.mysql.com/doc/refman/4.1/en/numeric-types.html), the max int value is 4294967295.
Sorry, I do seem seem to be wrong there. The Havij SQL injection tool appears to be a common source of these attacks that select 0x31303235343830303536 as a placeholder column, perhaps they'd be willing to shed some light on the specific mechanism in action there.

Havij: http://www.itsecteam.com/en/projects/project1.htm

SQL injections with Havij user-agent: https://encrypted.google.com/search?hl=en&q=0x31303235343830303536%20havij
Again from ThreatExpert:

There was application-defined hook procedure installed into the hook chain (e.g. to monitor keystrokes). The installed hook is handled by the following module:
%System%\MSVBVM60.DLL

Note:
%System% is a variable that refers to the System folder. By default, this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).


Are you seeing any reference to %System%\MSVBVM60.DLL?
From what I can tell, this is just a convenient "unique" string that Havij uses. If you search for 1025480056 on Google, you'll get a bunch of sites vulnerable to SQL injection.

The query itself is pretty standard. All it does is add rows to the query result (not the table) that have that number, so it's easy to tell if the SQLi worked on the page.
It's the wrong size (10 bytes vs. 4 or 8) to be a special float/double/int like the recent PHP/Java floating-point bug (infinite loop converting "2.2250738585072011e-308" from string to float).

This is quite clearly a BCD encoding of the integer 1025480056, for whatever reason. Could that mean the UNIX date for 2002-06-30T23:34:16Z? I don't know of any particular significance of that time or date... The 2002 FIFA World Cup was 12 hours prior, and an air accident (Flight 2937) happened 2 hours prior.

I'm fairly sure it wasn't the malware author's birthday.
Hello,

if you check your web logs you should see many of these entries with increasing number of 0x31..., first request with one , second with two, etc. we can safely assume that there is a tool behind it, one (havij) has already been mentioned in a previous comment. It is a way for the tool to brute force the number of columns to be used in a sql injection union select exploitation. My guess is that this value does not hold any specific "value" for the rdbms behind the application but may hold some specific for the tool used to perform the sql injection attempts (for example it may be used in parsing/tokenising the results of the union select in the returned page responce.split(0x31..)).

./Z
1025480056 is the decimal representation of the IP address 61.31.149.120 which originated on Taiwan according to whois.

Diary Archives